MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c68211388d28ac7127d456b95f125b81b57933bfba78e60bf758dd8b4d1d540d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c68211388d28ac7127d456b95f125b81b57933bfba78e60bf758dd8b4d1d540d
SHA3-384 hash: 03b6835ad1c89592a714144c084457c86759b7981813e916935dfb785914e42cb8de2a97e6895a36758cf45941e46ce7
SHA1 hash: f9212b5fdf5c112ec7bfc35d599b444080085bec
MD5 hash: 14607be7cd176c09bc483067aa8a5f13
humanhash: beryllium-minnesota-kansas-virginia
File name:c68211388d28ac7127d456b95f125b81b57933bfba78e60bf758dd8b4d1d540d
Download: download sample
Signature njrat
Create hunting rule
File size:552'984 bytes
First seen:2020-11-15 23:04:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:2aXEM47Fl4G2QitX+t49893i0JzazdowBKIbUDo:2jM47iQiXPKwKw0IwDo
Threatray 60 similar samples on MalwareBazaar
TLSH 3CC4E002B9D189B2E472193656685B10AA377C201F78C9DBB3EC1A4DCB735D19A34FB3
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Emotet-9790742-0
Create hunting rule

Win.Packed.Emotet-9790818-0
Create hunting rule

Win.Dropper.NetWire-9792487-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Launching a process
Forced system process termination
Deleting a recently created file
Creating a file
Creating a process with a hidden window
Connection attempt
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537562
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317878 Sample: 7hpoq2ykLk Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Detected njRat 2->57 59 7 other signatures 2->59 10 7hpoq2ykLk.exe 13 2->10         started        process3 file4 45 C:\Users\user\AppData\...\loriedoodles.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\...\cutedoodles.sfx.exe, PE32 10->47 dropped 13 cutedoodles.sfx.exe 9 10->13         started        17 loriedoodles.exe 8 10->17         started        process5 file6 49 C:\Users\user\AppData\...\cutedoodles.exe, PE32 13->49 dropped 79 Multi AV Scanner detection for dropped file 13->79 19 cutedoodles.exe 1 5 13->19         started        23 cmd.exe 1 17->23         started        25 conhost.exe 17->25         started        signatures7 process8 file9 43 C:\Users\user\AppData\...\cutedoodles.exe, PE32 19->43 dropped 61 Antivirus detection for dropped file 19->61 63 Multi AV Scanner detection for dropped file 19->63 65 Machine Learning detection for dropped file 19->65 27 cutedoodles.exe 2 4 19->27         started        67 Uses cmd line tools excessively to alter registry or file data 23->67 31 reg.exe 1 1 23->31         started        33 reg.exe 1 1 23->33         started        35 reg.exe 1 1 23->35         started        37 10 other processes 23->37 signatures10 process11 dnsIp12 51 127.0.0.1 unknown unknown 27->51 69 Antivirus detection for dropped file 27->69 71 Multi AV Scanner detection for dropped file 27->71 73 Machine Learning detection for dropped file 27->73 75 Disables Windows Defender (deletes autostart) 31->75 77 Disable Windows Defender real time protection (registry) 33->77 39 netsh.exe 1 3 35->39         started        signatures13 process14 process15 41 conhost.exe 39->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c68211388d28ac7127d456b95f125b81b57933bfba78e60bf758dd8b4d1d540d/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:06:32 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2bbcoenfcwhcj6uk24v6es3qg2xsm57xj4omc7xldoywti5kqgq._file
Verdict:
malicious
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
njrat
076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710
njrat
28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de
njrat
2f7c799eb16f3ee23dea72b7aa2ff3797b797c6060d5d23fe424b80e36ff10c8
njrat
47470dc6911824b1a903197f0d06acedeba47415ebf3d212dd6514a14eec0ded
njrat
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
njrat
bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4
njrat
e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
njrat
e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
njrat
f1ff26f937fb6b5d3071a430d45db0439454d9311ef88610aeac7620e1c89e54
njrat
+ 50 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/201115-2fsrgxmytn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies service
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
c68211388d28ac7127d456b95f125b81b57933bfba78e60bf758dd8b4d1d540d
MD5 hash:
14607be7cd176c09bc483067aa8a5f13
SHA1 hash:
f9212b5fdf5c112ec7bfc35d599b444080085bec
Link:
https://www.unpac.me/results/d3ec32c1-9c8f-4ad1-aead-b73c1d54ecf5/
SH256 hash:
33ecc85c8b2acacd811f34aa126450648abed0673e1083412885cc142ad48ba1
MD5 hash:
969cea3ee9b5415094dac1d6314591f1
SHA1 hash:
feb64d6ff78c8d0ca00baca22ab9785f7b691691
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/d3ec32c1-9c8f-4ad1-aead-b73c1d54ecf5/
Parent samples :
c452942c2960fce8e7ba452dac0790a4527222cceb6d8ed7af1ca42fce1bf965
33ecc85c8b2acacd811f34aa126450648abed0673e1083412885cc142ad48ba1
ef49a4e6827b31cf3743a20908ed7053376f2256c0e82bf0279dda4eca9214bc
47470dc6911824b1a903197f0d06acedeba47415ebf3d212dd6514a14eec0ded
f1ff26f937fb6b5d3071a430d45db0439454d9311ef88610aeac7620e1c89e54
17cdfe9fa78ee6ab72302c300ba976410f3f53a697a9953c6f22cce20eaae555
94f321756ed39f6bb5a4d253a19e5e40e471dd2d23a7be25e7dfe1a03a4b6998
c68211388d28ac7127d456b95f125b81b57933bfba78e60bf758dd8b4d1d540d
SH256 hash:
b93db68d0ddbbb4b9b68ba786d9a8aa4a1e3cadc66cd8c60c95e36791c73a971
MD5 hash:
f7d0b46dbde116bec0158b22a607bb02
SHA1 hash:
263f9a78f3807717b4cd1c586fa99f4517e57519
Link:
https://www.unpac.me/results/d3ec32c1-9c8f-4ad1-aead-b73c1d54ecf5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c68211388d28ac7127d456b95f125b81b57933bfba78e60bf758dd8b4d1d540d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments